Re: Firewall needed behind router?
From: Triffid (triffid_at_nebula.net)
Date: 06/10/05
- Next message: Robert de Brus: "Re: SOLUTION (was) Zone Alarm Pro: TrueVector Service crashes"
- Previous message: David Levy: "SOLUTION (was) Zone Alarm Pro: TrueVector Service crashes"
- In reply to: Chuck: "Re: Firewall needed behind router?"
- Next in thread: Charles Newman: "Re: Firewall needed behind router?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Jun 2005 01:30:13 -0400
Chuck wrote:
> On Thu, 9 Jun 2005 20:09:09 +1200, "Peter in New Zealand"
> <peterbalplug@xtra.co.nz> wrote:
>
>
>>I have three PCs on a LAN which is connected to the Internet via the
>>modem/router unit. Is there any advantage in having a software firewall (in
>>this case McAfee) on these machines, or would the router be sufficient
>>protection? There's no requirement for inter-PC protection - just from the
>>Internet. We just recently upgraded to broadband after a decade of dialup,
>>so it is all a bit new to me. The tech told me the router is configured to
>>prevent DOS and hacker attacks, and I understand a little of the theory, but
>>not a lot, so I apologise if this is a silly question. Thank heaps for
>>helping.
>
>
> Peter,
>
> This isn't a silly question. This question gets asked almost daily, and should
> be asked more.
>
> If you have multiple computers on a LAN, and any one of them is used for
> Internet access of any type, you should have a personal firewall on each one of
> them. If any one of them should get infected, it could be with a combined
> threat that enters the LAN as browser data, and then attacks other computers on
> the LAN. Having a PFW on each one could save the others, and could alert you to
> the infection.
> <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
I'm with you when it comes to advocating defense in depth - however PFWs
have a well deserved reputation for causing functionality and
performance problems while frequently crying wolf, and IMHO are of very
limited value given current malware capable of disabling and/or
reconfiguring them.
As the administrator of a home network similar to the OP's, configured
and maintained in accordance with generally accepted best practices, my
biggest concern is the possibility of systems being conscripted via a
careless click and/or a zero-day exploit. Modern botnets are highly
sophisticated and modular, and there is significant financial incentive
for continued development:
http://www.honeynet.org/papers/bots/
In today's environment, I no longer feel comfortable on a home network
that relies entirely on PFWs to intercept malicious outbound traffic -
so I replaced the NAT router with a firewall. It provides significantly
improved outbound control - e.g. IM is now blocked after children's
bedtime :-) - but it won't protect me if the botnet owner's ircD is
listening on a permitted port...
My firewall appliance was cheap - it only cost 8x the price of a NAT
router - and IMHO is easy to configure, but the average home broadband
user would probably disagree on both counts. No silver bullets here, but
I suspect there's a huge market for an appliance with the functionality
of (e.g) a Netscreen 5GT, but sporting an exception-based user interface
like the PFWs and a price competitive with the NAT routers.
Unfortunately the bad guys are currently way ahead of usable and
affordable defenses available to the average home broadband user, so
large botnets proliferate and grow.
Triffid
- Next message: Robert de Brus: "Re: SOLUTION (was) Zone Alarm Pro: TrueVector Service crashes"
- Previous message: David Levy: "SOLUTION (was) Zone Alarm Pro: TrueVector Service crashes"
- In reply to: Chuck: "Re: Firewall needed behind router?"
- Next in thread: Charles Newman: "Re: Firewall needed behind router?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
